Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Sucha Singh wrote: Hi Andreas, Reviewing the above settings I added the following line to the ipsec.conf: ike=3des-sha1-md5-modp1024 I then get the following errors: 002 test #1: initiating Main Mode 003 test #1: no IKE algorithms for this connection (check ike algorithm string) 003 test #1: empty ISAKMP SA proposal to send (no algorithms for ike selection?) Was I right to add the above setting That setting looks wrong to me. You probably want: ike=3des-sha1-modp1024 or ike=3des-md5-modp1024 or both ike=3des-sha1-modp1024,3des-md5-modp1024 Dimitris Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Hi Andreas, Thanks again, the below was the response from our network administrator to your question: I don’t think we do any certificate based authentication. There certainly isn’t any client side certificate. Here are some more settings from our VPN:- IKE Properties:- Support key exchange encryption with: 3DES - enabled AES-256 - enabled DES - enabled Support data integrity with: MD5 - enabled SHA1 - enabled Support authentication methods: Pre-Shared Secret - disabled Public Key Signatures - disabled Advanced IKE Properties:- Support Diffie–Hellman groups for IKE (phase 1) Security associations: Group 2 (1024 bit) - enabled Reviewing the above settings I added the following line to the ipsec.conf: ike=3des-sha1-md5-modp1024 I then get the following errors: 002 test #1: initiating Main Mode 003 test #1: no IKE algorithms for this connection (check ike algorithm string) 003 test #1: empty ISAKMP SA proposal to send (no algorithms for ike selection?) Was I right to add the above setting? Just to reiterate the point again, I am using a challenge-response security token that generates a OTP (One Time Password). Just to clarify I do the following in Windows to connect to the VPN: 1) Click connect on the CheckPoint Client 2) It will prompt me for Username and Password credentials 3) I input my Username (Numeric) into the security token, upon entering the correct Username it will generate a Password 4) I then input my Username and the Password generated by the security token, it then gives a message of authenticating against a RADIUS server, then successfully connects I've never been given any certificate to install on my client. I'm optimistic that with the help of all you kind individuals that I am getting closer to connecting :-) Thanks Again, Jana --- On Thu, 4/3/10, Andreas Steffen andreas.stef...@strongswan.org wrote: From: Andreas Steffen andreas.stef...@strongswan.org Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1 To: Sucha Singh soorma_j...@yahoo.co.uk Cc: Martin Willi mar...@strongswan.org, users@lists.strongswan.org Date: Thursday, 4 March, 2010, 6:05 Hello Jana, the log entry: ignoring informational payload, type NO_PROPOSAL_CHOSEN means that the CheckPoint box does not like your proposal. Is it really configuredd to do XAUTH with certificate-based mutual authentication? Regards Andreas Sucha Singh wrote: Hi All, Thanks Martin, I've made some more progress, I am now getting the following error when I run ipsec up test: 002 test #2: initiating Main Mode 104 test #2: STATE_MAIN_I1: initiate 003 test #2: ignoring informational payload, type NO_PROPOSAL_CHOSEN 010 test #2: STATE_MAIN_I1: retransmission; will wait 20s for response 010 test #2: STATE_MAIN_I1: retransmission; will wait 40s for response 031 test #2: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message My ipsec.conf now looks like this: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup plutostart=yes nat_traversal=yes plutodebug=all # Add connections here. conn test auto=add authby=xauthrsasig forceencaps=yes keyexchange=ikev1 keyingtries=1 type=tunnel xauth=client right=IP address of CheckPoint VPN left=IP address of my laptop # include /var/lib/strongswan/ipsec.conf.inc From what sense I can make from the error, I assume it means that my client request has reached the VPN gateway, but the authentication/encryption protocols don't match? I sincerely appreciate the help you guys are providing. Regards, Jana --- On Wed, 3/3/10, Martin Willi mar...@strongswan.org wrote: From: Martin Willi mar...@strongswan.org Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1 To: Sucha Singh soorma_j...@yahoo.co.uk Cc: Daniel Mentz danielml+mailinglists.strongs...@sent.com, users@lists.strongswan.org Date: Wednesday, 3 March, 2010, 7:32 Hi, conn test authby=xauthrsasig forceencaps=yes keyexchange=ikev1 keyingtries=1 type=tunnel xauth=client right=CheckPoint VPN Firewall IP Address leftsourceip=%modeconfig ipsec up test 021 no connection named test You additionally need the auto parameter. auto=add loads the configuration to the IKE daemon. auto=start additionally starts the connection automatically. man ipsec.conf for details. Regards Martin == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland
Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Hi All, Thanks Martin, I've made some more progress, I am now getting the following error when I run ipsec up test: 002 test #2: initiating Main Mode 104 test #2: STATE_MAIN_I1: initiate 003 test #2: ignoring informational payload, type NO_PROPOSAL_CHOSEN 010 test #2: STATE_MAIN_I1: retransmission; will wait 20s for response 010 test #2: STATE_MAIN_I1: retransmission; will wait 40s for response 031 test #2: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message My ipsec.conf now looks like this: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup plutostart=yes nat_traversal=yes plutodebug=all # Add connections here. conn test auto=add authby=xauthrsasig forceencaps=yes keyexchange=ikev1 keyingtries=1 type=tunnel xauth=client right=IP address of CheckPoint VPN left=IP address of my laptop # include /var/lib/strongswan/ipsec.conf.inc From what sense I can make from the error, I assume it means that my client request has reached the VPN gateway, but the authentication/encryption protocols don't match? I sincerely appreciate the help you guys are providing. Regards, Jana --- On Wed, 3/3/10, Martin Willi mar...@strongswan.org wrote: From: Martin Willi mar...@strongswan.org Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1 To: Sucha Singh soorma_j...@yahoo.co.uk Cc: Daniel Mentz danielml+mailinglists.strongs...@sent.com, users@lists.strongswan.org Date: Wednesday, 3 March, 2010, 7:32 Hi, conn test authby=xauthrsasig forceencaps=yes keyexchange=ikev1 keyingtries=1 type=tunnel xauth=client right=CheckPoint VPN Firewall IP Address leftsourceip=%modeconfig ipsec up test 021 no connection named test You additionally need the auto parameter. auto=add loads the configuration to the IKE daemon. auto=start additionally starts the connection automatically. man ipsec.conf for details. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Hello Jana, the log entry: ignoring informational payload, type NO_PROPOSAL_CHOSEN means that the CheckPoint box does not like your proposal. Is it really configuredd to do XAUTH with certificate-based mutual authentication? Regards Andreas Sucha Singh wrote: Hi All, Thanks Martin, I've made some more progress, I am now getting the following error when I run ipsec up test: 002 test #2: initiating Main Mode 104 test #2: STATE_MAIN_I1: initiate 003 test #2: ignoring informational payload, type NO_PROPOSAL_CHOSEN 010 test #2: STATE_MAIN_I1: retransmission; will wait 20s for response 010 test #2: STATE_MAIN_I1: retransmission; will wait 40s for response 031 test #2: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message My ipsec.conf now looks like this: # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup plutostart=yes nat_traversal=yes plutodebug=all # Add connections here. conn test auto=add authby=xauthrsasig forceencaps=yes keyexchange=ikev1 keyingtries=1 type=tunnel xauth=client right=IP address of CheckPoint VPN left=IP address of my laptop # include /var/lib/strongswan/ipsec.conf.inc From what sense I can make from the error, I assume it means that my client request has reached the VPN gateway, but the authentication/encryption protocols don't match? I sincerely appreciate the help you guys are providing. Regards, Jana --- On Wed, 3/3/10, Martin Willi mar...@strongswan.org wrote: From: Martin Willi mar...@strongswan.org Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1 To: Sucha Singh soorma_j...@yahoo.co.uk Cc: Daniel Mentz danielml+mailinglists.strongs...@sent.com, users@lists.strongswan.org Date: Wednesday, 3 March, 2010, 7:32 Hi, conn test authby=xauthrsasig forceencaps=yes keyexchange=ikev1 keyingtries=1 type=tunnel xauth=client right=CheckPoint VPN Firewall IP Address leftsourceip=%modeconfig ipsec up test 021 no connection named test You additionally need the auto parameter. auto=add loads the configuration to the IKE daemon. auto=start additionally starts the connection automatically. man ipsec.conf for details. Regards Martin == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Hi, conn test authby=xauthrsasig forceencaps=yes keyexchange=ikev1 keyingtries=1 type=tunnel xauth=client right=CheckPoint VPN Firewall IP Address leftsourceip=%modeconfig ipsec up test 021 no connection named test You additionally need the auto parameter. auto=add loads the configuration to the IKE daemon. auto=start additionally starts the connection automatically. man ipsec.conf for details. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Hi Andreas, Thank you for your prompt response, I appreciate it. I can confirm that we are indeed using IKEv1 Main Mode. I have the pluto daemon installed, however I have no idea how to configure the ipsec.conf file. I have opened it in a text editor and I am struggling to make sense of most of the parameters. I can't appear to find anything in the online documentation to define what the parameters mean. Could you possibly construct the file for me based on the information I have already supplied? I will fill the blanks like site IP address etc. Thanks again for your time and support. Jana --- On Sun, 28/2/10, Andreas Steffen andreas.stef...@strongswan.org wrote: From: Andreas Steffen andreas.stef...@strongswan.org Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1 To: Sucha Singh soorma_j...@yahoo.co.uk Cc: users@lists.strongswan.org Date: Sunday, 28 February, 2010, 12:12 Hi, as far as I know, the CheckPoint VPN gateway does not support the IKEv2 protocol. Therefore you can't use the strongSwan NetworkManager plugin to set up a connection. The CheckPoint VPN gateway most probably will use IKEv1 and XAUTH. The first thing to find out is whether IKEv1 Main Mode is used by the CheckPoint box since strongSwan does not support the potentially insecure IKEv1 Aggressive Mode. If Main Mode is possible then you can configure strongSwan's IKEv1 pluto daemon via /etc/ipsec.conf. Best regards Andreas Sucha Singh wrote: Hi, I'm looking to use strongSwan to connect to my company CheckPoint VPN, as I am new to Linux and networking I am really struggling to get anything working. I have a Actividentity token that generates a password that authenticates against a RADIUS server, below is a list of facts I know from my CheckPoint config from Windows: I have an IP address for company site Authentication - Challenge Response NAT-T protocol - enabled Office Mode - enabled Use NAT traversal tunneling - enabled IKE over TCP - enabled Force UDP encapsulation - enabled I have attempted to use the Network Manager GUI to connect but it fails with VPN service failed to start, the syslog file contains a host of errors. The settings I attempted were: Gateway: Address - IP address of my company site Certificate - None Client: Authentication - EAP Username - My id I use for my token to generate password Options - Request an inner IP address - unchecked Enforce UDP encapsulation - checked Use IP compression - unchecked My questions would be: 1) Does strongSwan support the protocols/authentication methods I describe for CheckPoint VPN 2) If yes, then does my setup through Network Manager look correct 3) If yes, then is it a case of posting the sys.log errors for someone to kindly look at I appreciate anyone's help and time with this. Regards, Jana == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Hi Jana, please go to http://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Examples for IKEv1 Configuration Examples. PSK with XAUTH authentication and virtual IP addresses or RSA with XAUTH authentication and virtual IP addresse is probably the right one for you. Please refer to http://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf for definitions of the individual parameters. -Daniel Sucha Singh wrote: Hi Andreas, Thank you for your prompt response, I appreciate it. I can confirm that we are indeed using IKEv1 Main Mode. I have the pluto daemon installed, however I have no idea how to configure the ipsec.conf file. I have opened it in a text editor and I am struggling to make sense of most of the parameters. I can't appear to find anything in the online documentation to define what the parameters mean. Could you possibly construct the file for me based on the information I have already supplied? I will fill the blanks like site IP address etc. Thanks again for your time and support. Jana --- On Sun, 28/2/10, Andreas Steffen andreas.stef...@strongswan.org wrote: From: Andreas Steffen andreas.stef...@strongswan.org Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1 To: Sucha Singh soorma_j...@yahoo.co.uk Cc: users@lists.strongswan.org Date: Sunday, 28 February, 2010, 12:12 Hi, as far as I know, the CheckPoint VPN gateway does not support the IKEv2 protocol. Therefore you can't use the strongSwan NetworkManager plugin to set up a connection. The CheckPoint VPN gateway most probably will use IKEv1 and XAUTH. The first thing to find out is whether IKEv1 Main Mode is used by the CheckPoint box since strongSwan does not support the potentially insecure IKEv1 Aggressive Mode. If Main Mode is possible then you can configure strongSwan's IKEv1 pluto daemon via /etc/ipsec.conf. Best regards Andreas Sucha Singh wrote: Hi, I'm looking to use strongSwan to connect to my company CheckPoint VPN, as I am new to Linux and networking I am really struggling to get anything working. I have a Actividentity token that generates a password that authenticates against a RADIUS server, below is a list of facts I know from my CheckPoint config from Windows: I have an IP address for company site Authentication - Challenge Response NAT-T protocol - enabled Office Mode - enabled Use NAT traversal tunneling - enabled IKE over TCP - enabled Force UDP encapsulation - enabled I have attempted to use the Network Manager GUI to connect but it fails with VPN service failed to start, the syslog file contains a host of errors. The settings I attempted were: Gateway: Address - IP address of my company site Certificate - None Client: Authentication - EAP Username - My id I use for my token to generate password Options - Request an inner IP address - unchecked Enforce UDP encapsulation - checked Use IP compression - unchecked My questions would be: 1) Does strongSwan support the protocols/authentication methods I describe for CheckPoint VPN 2) If yes, then does my setup through Network Manager look correct 3) If yes, then is it a case of posting the sys.log errors for someone to kindly look at I appreciate anyone's help and time with this. Regards, Jana == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Hi, I'm looking to use strongSwan to connect to my company CheckPoint VPN, as I am new to Linux and networking I am really struggling to get anything working. I have a Actividentity token that generates a password that authenticates against a RADIUS server, below is a list of facts I know from my CheckPoint config from Windows: I have an IP address for company site Authentication - Challenge Response NAT-T protocol - enabled Office Mode - enabled Use NAT traversal tunneling - enabled IKE over TCP - enabled Force UDP encapsulation - enabled I have attempted to use the Network Manager GUI to connect but it fails with VPN service failed to start, the syslog file contains a host of errors. The settings I attempted were: Gateway: Address - IP address of my company site Certificate - None Client: Authentication - EAP Username - My id I use for my token to generate password Options - Request an inner IP address - unchecked Enforce UDP encapsulation - checked Use IP compression - unchecked My questions would be: 1) Does strongSwan support the protocols/authentication methods I describe for CheckPoint VPN 2) If yes, then does my setup through Network Manager look correct 3) If yes, then is it a case of posting the sys.log errors for someone to kindly look at I appreciate anyone's help and time with this. Regards, Jana ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
Hi, as far as I know, the CheckPoint VPN gateway does not support the IKEv2 protocol. Therefore you can't use the strongSwan NetworkManager plugin to set up a connection. The CheckPoint VPN gateway most probably will use IKEv1 and XAUTH. The first thing to find out is whether IKEv1 Main Mode is used by the CheckPoint box since strongSwan does not support the potentially insecure IKEv1 Aggressive Mode. If Main Mode is possible then you can configure strongSwan's IKEv1 pluto daemon via /etc/ipsec.conf. Best regards Andreas Sucha Singh wrote: Hi, I'm looking to use strongSwan to connect to my company CheckPoint VPN, as I am new to Linux and networking I am really struggling to get anything working. I have a Actividentity token that generates a password that authenticates against a RADIUS server, below is a list of facts I know from my CheckPoint config from Windows: I have an IP address for company site Authentication - Challenge Response NAT-T protocol - enabled Office Mode - enabled Use NAT traversal tunneling - enabled IKE over TCP - enabled Force UDP encapsulation - enabled I have attempted to use the Network Manager GUI to connect but it fails with VPN service failed to start, the syslog file contains a host of errors. The settings I attempted were: Gateway: Address - IP address of my company site Certificate - None Client: Authentication - EAP Username - My id I use for my token to generate password Options - Request an inner IP address - unchecked Enforce UDP encapsulation - checked Use IP compression - unchecked My questions would be: 1) Does strongSwan support the protocols/authentication methods I describe for CheckPoint VPN 2) If yes, then does my setup through Network Manager look correct 3) If yes, then is it a case of posting the sys.log errors for someone to kindly look at I appreciate anyone's help and time with this. Regards, Jana == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users